News

Internet Presents Web of Security Issues

 


 [Note to Editors: For a downloadable copy of this story 

 with color graphics and sidebars, point your browser to 

 www.defenselink.mil or http://websecurity.afis.osd.mil.]

 

 By Paul Stone

 
American Forces Press Service




 WASHINGTON -- In a briefing room deep in the Pentagon 

 earlier this year, Air Force Lt. Col. Buzz Walsh and Maj. 

 Brad Ashley presented a series of briefings to top DoD 

 leaders that raised more than just a few eyebrows.

 

 Selected leaders were shown how it was possible to obtain 

 their individual social security numbers, unlisted home 

 phone numbers, and a host of other personal information 

 about themselves and their families – simply by cruising 

 the Internet.

 

 Walsh and Ashley, members of the Pentagon's Joint Staff, 

 were not playing a joke on the leaders. Nor were they 

 trying to be clever. Rather they were dramatically, and 

 effectively demonstrating the ease of accessing and 

 gathering personal and military data on the information 

 highway – information which, in the wrong hands, could 

 translate into a vulnerability.

 

 "You don't need a Ph.D. to do this," Walsh said about the 

 ability to gather the information. "There's no rocket 

 science in this capability. What's amazing is the ease and 

 speed and the minimal know-how needed. The tools (of the 

 Net) are designed for you to do this."

 

 The concern over personal information on key DoD leaders 

 began with a simple inquiry from one particular flag 

 officer who said he was receiving a large number of 

 unsolicited calls at home. In addition to having the 

 general's unlisted number, the callers knew specifically 

 who he was.

 

 Beginning with that one inquiry, the Joint Staff set out to 

 discover just how easy it is to collect data not only on 

 military personnel, but the military in general. They used 

 personal computers at home, used no privileged information 

 – not even a DoD phone book – and did not use any on-line 

 services that perform investigative searches for a fee.

 

 In less than five minutes on the Net Ashley, starting with 

 only the general's name, was able to extract his complete 

 address, unlisted phone number, and using a map search 

 engine, build a map and driving directions to his house.

 

 Using the same techniques and Internet search engines, they 

 visited various military and military-related Web sites to 

 see how much and the types of data they could gather. What 

 they discovered was too much about too much, and seemingly 

 too little concern about the free flow of information vs. 

 what the public needs to know.

 

 For example, one Web site for a European-based installation 

 provided more than enough information for a potential 

 adversary to learn about its mission and to possibly craft 

 an attack. Indeed, the Web site contained an aerial 

 photograph of the buildings in which the communication 

 capabilities and equipment were housed. By pointing and 

 clicking on any of the buildings, a Web surfer would learn 

 the name of the communications system housed in the 

 building and its purpose.

 

 Taking their quest for easily accessible information one 

 step further, the Joint Staff decided to see how much 

 information could be collected just by typing a military 

 system acronym into an Internet search engine. While not 

 everyone would be familiar with defense-related acronyms, 

 many of them are now batted around the airwaves on talk 

 shows and on the Internet in military-related chat rooms. 

 They soon discovered how easy it was to obtain information 

 on almost any topic, with one Web site hyper-linking them 

 to another on the same topic.

 

 What the Joint Staff was doing when they collected their 

 information is commonly called "data mining" -- surfing the 

 Net to collect bits of information on individuals, specific 

 topics or organizations, and then trying to piece together 

 a complete picture. Individuals do it, organizations do it 

 and some companies do it for profit.

 

 While the information they discovered presented legitimate 

 concerns, it wasn't all negative. The Army's Ft. Belvoir, 

 Va., home page was cited as one example of a Web site which 

 served the needs of both the military and the public. It 

 had the sort of information families or interested members 

 of the public need and should get.

 

 So what does all this mean? Is DoD creating individual and 

 institutional security problems? In the rush to make 

 information available to the internal audience, is too much 

 being made available to the public and those who might want 

 to inflict harm?

 

 The Joint Staff doesn't pretend to have all the answers to 

 these questions, but is encouraging users to think about 

 these issues whenever they put information on the Internet; 

 and they believe that, in some cases, DoD is it's own worst 

 enemy.

 

 Michael J. White, DoD's assistant director for security 

 countermeasures, agrees with the Joint Staff analysis. 

 Moreover, as a security expert, he is concerned DoD does 

 indeed exceed what needs to be on the Internet.

 

 "For fear of not telling our story well enough, we have 

 told too much," he said. "Personally, I think there's too 

 much out there … and you need to stop and ask the question: 

 Does this next paragraph really need to be there, or can I 

 extract enough or abstract enough so that the intent is 

 there without the specificity? And that is hard to do 

 because we are pressed every day. So sometimes expediency 

 gets ahead of pausing for a minute and thinking through the 

 process: Does the data really need to be there? Is it going 

 to hurt me tomorrow morning?

 

 DoD's policy on releasing information to the public, as 

 spelled out by Defense Secretary William Cohen in April 

 1997, requires DoD "to make available timely and accurate 

 information so that the public, Congress and the news media 

 may assess and understand the facts about national security 

 and defense strategy." The same statement requires that 

 "information be withheld only when disclosure would 

 adversely affect national security or threaten the men and 

 women of the Armed Forces."

 

 "On the one hand," Ashley said, "we have fast, cheap and 

 easy global communication and coordination. On the other 

 hand, we find ourselves protecting official information and 

 essential elements of information against point-and-click 

 aggregation. Clearly, this balancing act is a function of 

 risk management. Full openness and full protection are 

 equally bad answers. We have a serious education, training 

 and awareness issue that needs to be addressed."

 

 The Joint Staff repeatedly returns to the issue of "point-

 and-click aggregation" as a problem that is often 

 overlooked when military personnel and organizations place 

 data on the Internet. What they're referring to is the 

 ability to collect bits of information from several 

 different Web sites to compile a more complete picture of 

 an individual, issue or organization with very little 

 effort.

 

 "The biggest mistake people make is they don't understand 

 how easy it is to aggregate information," Walsh said.

 

 The lesson from this is that even though what is posted on 

 the Net is perfectly innocent in and by itself, when 

 combined with other existing information, a larger and more 

 complete picture might be put together that was neither 

 intended nor desired.

 

 A more obvious problem, yet still one not always considered 

 when posting information on the Internet, is that the "www" 

 in Web site addresses stands for "world wide" Web. 

 Information posted may be intended only for an internal 

 audience – perhaps even a very small and very specific 

 group of people. But on the Net, it's available to the 

 world.

 

 This, security experts agree, is an enormous change from 

 the time when foreign intelligence gathering was extremely 

 labor intensive and could only be done effectively on U.S. 

 soil.

 

 "If I'm a bad guy, I can sit back in the security of my 

 homeland and spend years looking for a vulnerability before 

 I decide to take a risk and commit resources," Ashley said. 

 "I'm at absolutely no risk by doing that. I can pick out 

 the most lucrative targets before hand, and may even just 

 bookmark those targets for future use. We won't know 

 something has been compromised until it's too late."

 

 White agrees with the Joint Staff's concern.

 

 "You can sit in Germany and have access to the United 

 States just as easily as you can in Australia or the 

 People's Republic of China or Chile," White said. "It 

 doesn't matter where you are. You can go back and forth and 

 in between and lose your identity on the net 

 instantaneously. Those who seek to use the system feel 

 comfortable they won't be discovered."

 

 In addition to these issues, security experts see another 

 recurring and disturbing problem. In the rush to take 

 advantage of the Net's timeliness and distribution 

 capabilities, military personnel are forgetting about or 

 ignoring the For Official Use Only policies which 

 previously made the information more difficult to obtain. 

 Yet anyone using the Internet doesn't have to venture far 

 into the array of military Web sites to come across one 

 which states: "For Official Use Only."

 

 If the information is For Official Use Only, security 

 experts said Web site developers, managers and commanders 

 must ask themselves whether the information should be there 

 in the first place.

 

 While officials are most concerned about the information 

 being placed on military Web sites, they had similar 

 warnings about individual or family Web sites. The Joint 

 Staff recommends the same precautions should apply at home, 

 especially as personnel move into high-ranking, key 

 leadership positions.

 

 At a time when the flow of information is beyond anyone's 

 capability to either digest it or control its direction, 

 it's not likely the problems brought forward recently by 

 the Joint Staff will be solved any time soon. The first 

 step, security experts said, is awareness the problems 

 exist. Commanders have to understand not just the 

 information capabilities of the World Wide Web, but the 

 information vulnerabilities as well.

 

 The second step, Walsh pointed out, is for commanders to 

 become actively involved in the issue of what's being put 

 on the Internet. Current DoD policies require that local 

 commander, public affairs and security reviews prior to 

 release of data on Web pages. But the flow of information 

 is so great, these reviews may not be occurring and few are 

 looking at the aggregation problem.

 

 "I think it would be very appropriate for a public affairs 

 officer to be the commander's lead representative," Walsh 

 said. "But it's a commander's issue and it should go down 

 command lines. This is certainly an operational security 

 issue. Just like operational security is everybody's 

 business, this ultimately is everyone's responsibility."

 

 White concurred and recommends installations create 

 "security-integrated product teams" which would be tasked 

 to develop and implement guidelines for creating and 

 monitoring Web sites on the installation.

 

 "I think having a group come together before the (Web site 

 development) process begins will remove an awful lot of 

 pain in the long run," White said. "We need to step back 

 one step and think before we begin any effort, because once 

 it's done you can't undo it. That makes it very hard in a 

 digital environment."

 

 Although it's not possible to retrieve what's already on 

 the World Wide Web, nor predict how it will influence 

 future security issues, Walsh, Ashley and White believe 

 it's not too late to make a difference. With a little more 

 forethought and a lot more planning, it will be possible to 

 better protect the next generation of warfighters, both on 

 and off the battlefield, they said.